Zero-Trust Encryption
Every file is encrypted client-side with AES-256-GCM before it leaves the device. No plaintext at rest or in transit. Keys never leave the local machine. The cloud provider sees only ciphertext.
Windows Cloud Files API · dABAC policy enforcement
Streaming AEAD · IDA shard dispersal
Every design decision in ntkDesktop traces back to one of three invariants. These aren't features — they're structural constraints that cannot be relaxed.
Every file is encrypted client-side with AES-256-GCM before it leaves the device. No plaintext at rest or in transit. Keys never leave the local machine. The cloud provider sees only ciphertext.
Access is controlled by attribute, not role.
AND-of-OR policy evaluation runs locally — no server round-trip required.
Unknown attribute always evaluates to deny.
Built on the Windows Cloud Files API. Placeholder awareness, on-demand hydration, and Shell context-menu integration — exactly as Windows intends. No shell hooks. No polling.
Data flows in one direction through deterministic stages. Each stage is independently auditable. No shortcuts, no bypass paths.
[ Cloud Storage ] │ ┌─────▼──────┐ │ Encrypt │ AES-256-GCM + per-file keys │ Disperse │ k-of-n IDA across providers └─────┬──────┘ │ ┌─────▼──────┐ │ CF API │ CfCreatePlaceholders │ Sync Root │ CfExecute (4096-aligned) └─────┬──────┘ │ [ Windows Shell ]
ntkDesktop abstracts cloud storage behind a uniform sync-root interface. Swap providers without changing encryption or policy configuration.